weiguoqiang/cert-manager
1
0
Fork 0
Code Issues Pull Requests Actions 2 Packages Projects Releases Wiki Activity

Cleanup

Browse Source 
Signed-off-by: irbekrm <irbekrm@gmail.com>
This commit is contained in:
irbekrm 2023-03-27 10:11:41 +01:00
parent de34694516
commit 241680658b
1 changed files with 9 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
design/20190708.certificate-request-crd.md
View File

@ -55,6 +55,7 @@ status: implementable
:warning: Parts of this design are out of date with regards to the current implementation. :warning: Parts of this design are out of date with regards to the current implementation.
See also https://cert-manager.io/docs/concepts/certificaterequest/. See also https://cert-manager.io/docs/concepts/certificaterequest/.
## Summary ## Summary
Currently, certificates issued via cert-manager rely on the `Certificate` Currently, certificates issued via cert-manager rely on the `Certificate`
@ -398,12 +399,12 @@ minimal as possible in that the single goal of them is to enable its owning
`CertificateRequest` has been observed, the general flow is as follows: `CertificateRequest` has been observed, the general flow is as follows:
- Check the group belongs to the owning `Issuer`, exit if not. - Check the group belongs to the owning `Issuer`, exit if not.
- Check if `CertificateRequest` is in a failed state. - Check if `CertificateRequest` is in a terminal failed state.
An controller may choose to add additional conditions to a failed `CertificateRequest`, but must not attempt to issue a certificate. A controller may choose to add additional conditions to a failed `CertificateRequest`, but must not attempt to issue a certificate.
Currently failed states are: Currently terminal failed states are:
- `Ready` condition with a `Failed` reason // usually set by the issuer - `Ready` condition with a `Failed` reason // usually set by the issuer
- `InvalidRequest` condition with `True` status // usually set by the issuer - `InvalidRequest` condition with `True` status // usually set by the issuer
- `Denied` condition // usually set by approver - `Denied` condition with `True` status // usually set by approver
- Check the `Issuer` type is of the same type, exit if not. - Check the `Issuer` type is of the same type, exit if not.
- Verify the Spec of the `CertificateRequest`. - Verify the Spec of the `CertificateRequest`.
@ -434,12 +435,12 @@ this resource.
#### Issuing Controller #### Issuing Controller
Issuing controller considers all Denied CertificateRequests to be in a final failed state. Issuing controller considers all Denied CertificateRequests to be in a final failed state.
The issuance will be failed and will be continuously retried with an exponential backoff ../20220118.certificate-issuance-exponential-backoff.md. The issuance will be failed and will be repeatedly retried with an exponential backoff ../20220118.certificate-issuance-exponential-backoff.md.
If the cause of the denial was a misconfigured Certificate spec, the issuance will be retried immedialy once the spec is corrected. If the cause of the denial was a misconfigured Certificate spec, the issuance will be retried immediately once the spec is corrected.
If the cause of the denial was misconfigured policy resources, a user who has fixed the resources and wants to retry immediately can do so using [cmctl renew](https://cert-manager.io/docs/reference/cmctl/#renew) If the cause of the denial was misconfigured policy resources, a user who has fixed the resources and wants to retry immediately can do so using [cmctl renew](https://cert-manager.io/docs/reference/cmctl/#renew)
The issuing controller does not check Approved condition. It is issuer's The issuing controller does not check Approved condition. It is the issuer's
responsibility to not issue certificates for CertificateRequests that have not responsibility not to issue certificates for CertificateRequests that have not
been approved. been approved.
### Failure ### Failure